[Rt-commit] rt branch, 4.2/csrf-whitelist, repushed
Dustin Graves
dustin at bestpractical.com
Wed Aug 5 15:47:21 EDT 2015
The branch 4.2/csrf-whitelist was deleted and repushed:
was 5bdaa0f92f0ff2b4d68fb957b66faa558222aa59
now b48c4ae85ab366be51ebc40e8165070fdd557924
1: 5bdaa0f ! 1: b48c4ae add CSRF whitelist for component parameters
@@ -2,8 +2,10 @@
add CSRF whitelist for component parameters
- in particular, /Search/Build.html param SavedSearchLoad is whitelisted,
- but not other parameters
+ in particular,
+ /Search/Build.html params SavedSearchLoad, NewQuery
+ /Ticket/Update.html params QuoteTransaction, Action, DefaultStatus
+ /Articles/Article/ExtractIntoClass.html param Ticket
move parameter whitelist logic into own sub
add CSRF tests to test this new behavior
@@ -37,9 +39,15 @@
+);
+
+our %whitelisted_component_args = (
-+ # This happens when you middle-(or ⌘ )-click "Edit" for a saved search on
++ # SavedSearchLoad - This happens when you middle-(or ⌘ )-click "Edit" for a saved search on
+ # the homepage. It's not going to do any damage
-+ '/Search/Build.html' => ['SavedSearchLoad'],
++ # NewQuery - This is simply to clear the search query
++ '/Search/Build.html' => ['SavedSearchLoad','NewQuery'],
++ # Happens if you try and reply to a message in the ticket history or click a number
++ # of options on a tickets Action menu
++ '/Ticket/Update.html' => ['QuoteTransaction', 'Action', 'DefaultStatus'],
++ # Action->Extract Article on a ticket's menu
++ '/Articles/Article/ExtractIntoClass.html' => ['Ticket'],
+);
+
# Components which are blacklisted from automatic, argument-based whitelisting.
@@ -121,6 +129,27 @@
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
++# CSRF pass for /Search/Build.html param NewQuery
++$m->add_header(Referer => undef);
++$m->get_ok("$searchBuildPath?NewQuery=1");
++$m->content_lacks('Possible cross-site request forgery');
++$m->title_is('Query Builder');
++
++# CSRF pass for /Ticket/Update.html items in ticket action menu
++$m->add_header(Referer => undef);
++$m->get_ok('/Ticket/Update.html?id=1&Action=foo');
++$m->content_lacks('Possible cross-site request forgery');
++
++# CSRF pass for /Ticket/Update.html reply to message in ticket history
++$m->add_header(Referer => undef);
++$m->get_ok('/Ticket/Update.html?id=1&QuoteTransaction=1&Action=Reply');
++$m->content_lacks('Possible cross-site request forgery');
++
++# CSRF pass for /Articles/Article/ExtractIntoClass.html
++# Action->Extract Article on ticket menu
++$m->add_header(Referer => undef);
++$m->get_ok('/Articles/Article/ExtractIntoClass.html?Ticket=1');
++$m->content_lacks('Possible cross-site request forgery');
+
# now send a referer from an attacker
$m->add_header(Referer => 'http://example.net');
More information about the rt-commit
mailing list